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DETAILED ACTION 

This action is in response to the papers filed 1/22/2009. Claims 1-23 were 
received for consideration. 

Response Arguments 

Applicant's arguments have been considered but are moot in view of the new 
ground(s) of rejection. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 1 , 4, 7-10, 14, and 16-23 are rejected under 35 U.S.C. 102(e) as being 
anticipated by Regan (U.S. 2004/0213232) in view of Inada et al (U.S. Patent # 
6,775,769) in further view of Amara et al (U.S. Patent # 6,839,338). Regan teaches with 
respect to claim 1 , a method for secure remote mirroring of network traffic, the method 
comprising: 

receiving a data packet to be remotely mirrored by an entry device (see Regan 
abstract i.e. data packets, segments, frames, or other forms of encapsulation may be 
mirrored off of a core network (e.g., IP, TCP) to one or more mirroring destinations 
without using a parallel network)) pre-configured with a mirroring destination address to 
which to mirror the data packet (see Regan abstract and paragraph 0022 i.e. a 
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forwarding engine 202 may be implemented as one or more modules used for both 
mirroring and forwarding packets from a router to a primary destination (i.e., a 
destination to which the packet is addressed) and a mirror destination (i.e., the place to 
which you want the mirror packets to be sent)); 

forwarding the data packet in unencrypted form towards an original destination 
address indicated in the data packet and a copy to a mirror destination (see Regan 
abstract and paragraph 0022-0026); and 

forwarding the encapsulated packet to an exit device associated with the 
mirroring destination address (see paragraph 0023 i.e. a forwarding engine 202 may be 
implemented as one or more modules used for both mirroring and forwarding packets 
from a router to a primary destination (i.e., a destination to which the packet is 
addressed) and a mirror destination (i.e., the place to which you want the mirror packets 
to be sent)). 

Regan does not teach encrypting a copy the data packet to form an encrypted 
packet; incrementing an identifier for indicating a position of the data packet within an 
order of packets received by an exit device; generating and adding a first header and a 
second header to the encrypted data packet to encapsulate the encrypted data packet, 
wherein the first header includes an Internet Protocol destination address corresponding 
to the destination address and said identifier, the second header includes a media 
access control (MAC) destination address, and the encapsulated encrypted packet 
comprises an IP-encapsulated encrypted packet including the IP destination address. 
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Regan teaches that the mirrored packet are encapsulated and sent via a 
transport tunnel (see paragraph 0025) but does not go into the way the packets are 
encapsulated. 

Inada teaches encrypting a copy the data packet to form an encrypted packet 
(see column 1 1 lines 43-52 i.e. encrypts the whole received plaintext pack); generating 
and adding a first header and a second header to the encrypted data packet to 
encapsulate the encrypted data packet, wherein the first header includes an Internet 
Protocol destination address corresponding to the destination address and said 
identifier (see column 1 1 lines 43-52 i.e. set new IP header), the second header 
includes a media access control (MAC) destination address (see column 1 1 lines 43-52 
i.e. then, the ciphertext MAC address resolution block 28 sets the MAC address of the 
MAC header based on the IP address of the IP header newly set), and the 
encapsulated encrypted packet comprises an IP-encapsulated encrypted packet 
including the IP destination address (see column 1 1 lines 43-52); 

It would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains to have used the 
encapsulation as taught by Inada to encrypt and encapsulate the data packet to further 
increase the security of the data packet by not allowing other devices to intercept the IP 
packet and read its data portion (see Inada column 13 lines 39-57). Therefore one 
would have been motivated to have used the encapsulation as taught by Inada. 

Amara teaches incrementing an identifier for indicating a position of the data 
packet within an order of packets received by an exit device (see Figure 4 element 210 
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sequence number and column 8 lines 5-24). It would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject 
matter pertains to have a sequence number is used to keep track of each data packet. 
Therefore one would have been motivated to have a sequence number for each 
packet. 

With respect to claim 4 determining the MAC destination address associated with 
the destination IP address; generating and adding as the second header a MAC header 
including the MAC destination address to the IP-encapsulated packet to form a MAC 
data frame, wherein the MAC header includes the MAC destination address in a 
destination field; and transmitting the MAC data frame to communicate the IP- 
encapsulated packet across a layer 2 domain (see column 1 1 lines 43-52 i.e. then, the 
ciphertext MAC address resolution block 28 sets the MAC address of the MAC header 
based on the IP address of the IP header newly set). 

With respect to claim 7, further comprising: receiving the encapsulated encrypted 
packet by the exit device (see Amara column 8 line 66 - column 9 line 15 i.e. the 
destination device endpoint); removing the header to de-encapsulate the encrypted 
packet; and decrypting the encrypted packet to re-generate the data packet (see Amara 
column 8 line 66 - column 9 line 15 i.e. the destination device endpoint decrypts the 
original IP packet and forwards that packet to the destination device); and using said 
identifier to determine the position of the data packet within the order of packets 
received by the exit device (see Amara Figure 4 element 210 sequence number and 
column 8 lines 5-24). 
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With respect to claim 8, wherein the encrypting and decrypting is performed 
under a public-private key encryption scheme (see Amara column 10 lines 6-60). 

With respect to claim 9, wherein the encrypting is performed using a public key of 
a destination device, and wherein the decrypting is performed using a corresponding 
private key of the destination device (see Amara column 10 lines 6-60). 

With respect to claim 10, configuring the entry device in a best effort mirroring 
mode to reduce head-of-line blocking (see Amara abstract and column 8 line 66 - 
column 9 line 15). 

With respect to claim 1 1 , configuring the entry device in a lossless mirroring 
mode to assure completeness of mirrored traffic (see Amara abstract and column 8 line 
66 - column 9 line 15). 

With respect to claim 14, a networking device comprising: 

a plurality of ports for receiving and transmitting packets therefrom, wherein the 
packets are transmitted based on original destination address indicated therein (see 
Regan abstract and paragraph 0022 i.e. a forwarding engine 202 may be implemented 
as one or more modules used for both mirroring and forwarding packets from a router to 
a primary destination (i.e., a destination to which the packet is addressed) and a mirror 
destination (i.e., the place to which you want the mirror packets to be sent)); 

a secure remote mirroring engine configured to detect packets from a specified 
mirror source, and to forward the encapsulated encrypted packets to a pre-configured 
destination address corresponding to the IP destination address by way of at least one 
of the ports (see Regan abstract and paragraph 0022 i.e. a forwarding engine 202 may 
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be implemented as one or more modules used for both mirroring and forwarding 
packets from a router to a primary destination (i.e., a destination to which the packet is 
addressed) and a mirror destination (i.e., the place to which you want the mirror packets 
to be sent)). 

Regan does not teach to use an incrementing identifier to indicating an order of 
the detected packets, to encrypt the detected packets, to encapsulate each of the 
encrypted packets by adding to the encrypted packet a first header which includes said 
identifier and an internet Protocol destination address and by also adding a second 
header which includes a media access control destination address, and an encryption 
module configured to be utilized by the remote mirroring engine during encryption of the 
detected packets. 

Regan teaches that the mirrored packet are encapsulated and sent via a 
transport tunnel (see paragraph 0025) but does not go into the way the packets are 
encapsulated. 

Inada teaches to encrypt the detected packets (see column 1 1 lines 43-52 i.e. 
encrypts the whole received plaintext pack), to encapsulate each of the encrypted 
packets by adding to the encrypted packet a first header which includes said identifier 
and an internet Protocol destination address (see column 1 1 lines 43-52 i.e. set new IP 
header) and by also adding a second header which includes a media access control 
destination address address (see column 11 lines 43-52 i.e. then, the ciphertext MAC 
address resolution block 28 sets the MAC address of the MAC header based on the IP 
address of the IP header newly set). 
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It would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains to have used the 
encapsulation as taught by Inada to encrypt and encapsulate the data packet to further 
increase the security of the data packet by not allowing other devices to intercept the IP 
packet and read its data portion (see Inada column 13 lines 39-57). Therefore one 
would have been motivated to have used the encapsulation as taught by Inada. 

Amara teaches incrementing an identifier for indicating a position of the data 
packet within an order of packets received by an exit device (see Figure 4 element 210 
sequence number and column 8 lines 5-24). It would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject 
matter pertains to have a sequence number is used to keep track of each data packet. 
Therefore one would have been motivated to have a sequence number for each 
packet. 

With respect to claim 16, The networking device of claim 15, wherein the remote 
mirroring engine encrypts the copies of the detected packets using a public key of a 
public-private key pair (see Amara column 10 lines 6-60). 

With respect to claim 17, a system for secure remote mirroring of network traffic, 
the system comprising: a mirror entry device including a secure mirroring engine 
configured to detect packets from a specified mirror source, and to forward the 
encapsulated encrypted packets to a pre-configured destination by way of at least one 
of the ports, wherein the pre-configured destination is distinct from original destination 
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indicated in the detected packets, and wherein the detected packets are forwarding in 
unencrypted form towards an original destination address indicated in the data packet 
(see Regan abstract and paragraph 0022 i.e. a forwarding engine 202 may be 
implemented as one or more modules used for both mirroring and forwarding packets 
from a router to a primary destination (i.e., a destination to which the packet is 
addressed) and a mirror destination (i.e., the place to which you want the mirror packets 
to be sent)); and a mirror exit device including a secure mirroring receiver configured to 
detect and decapsulate the encapsulated encrypted packets from the mirror entry 
device and to decrypt the encrypted packets (see Regan abstract and paragraph 0022 
i.e. a forwarding engine 202 may be implemented as one or more modules used for 
both mirroring and forwarding packets from a router to a primary destination (i.e., a 
destination to which the packet is addressed) and a mirror destination (i.e., the place to 
which you want the mirror packets to be sent)). 

Regan does not teach to use an incrementing identifier to indicating an order of 
the detected packets, to encrypt the detected packets, to encapsulate each of the 
encrypted packets by adding to the encrypted packet a first header which includes said 
identifier and an internet Protocol destination address and by also adding a second 
header which includes a media access control destination address, and an encryption 
module configured to be utilized by the remote mirroring engine during encryption of the 
detected packets. 
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Regan teaches that the mirrored packet are encapsulated and sent via a 
transport tunnel (see paragraph 0025) but does not go into the way the packets are 
encapsulated. 

Inada teaches to encrypt the detected packets (see column 1 1 lines 43-52 i.e. 
encrypts the whole received plaintext pack), to encapsulate each of the encrypted 
packets by adding to the encrypted packet a first header which includes said identifier 
and an internet Protocol destination address (see column 1 1 lines 43-52 i.e. set new IP 
header) and by also adding a second header which includes a media access control 
destination address address (see column 11 lines 43-52 i.e. then, the ciphertext MAC 
address resolution block 28 sets the MAC address of the MAC header based on the IP 
address of the IP header newly set). 

It would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains to have used the 
encapsulation as taught by Inada to encrypt and encapsulate the data packet to further 
increase the security of the data packet by not allowing other devices to intercept the IP 
packet and read its data portion (see Inada column 13 lines 39-57). Therefore one 
would have been motivated to have used the encapsulation as taught by Inada. 

Amara teaches incrementing an identifier for indicating a position of the data 
packet within an order of packets received by an exit device (see Figure 4 element 210 
sequence number and column 8 lines 5-24). It would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject 
matter pertains to have a sequence number is used to keep track of each data packet. 
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Therefore one would have been motivated to have a sequence number for each 
packet. 

With respect to claim 18, wherein the encrypting and decrypting is performed 
under a public-private key encryption scheme (see Amara column 10 lines 6-60). 

With respect to claim 19, wherein the encrypting is performed using a public key 
of a destination device, and wherein the decrypting is performed using a corresponding 
private key of the destination device (see c Amara olumn 10 lines 6-60). 

With respect to claim 20, a system for secure remote mirroring of network traffic, 
the system comprising a mirror entry device and a pre-configured destination address 
associated with a mirror exit device; wherein the pre-configured destination is distinct 
from original destination indicated in the detected packets, wherein the detected 
packets are forwarding in unencrypted form towards an original destination address 
indicated in the data packet (see Regan abstract and paragraph 0022 i.e. a forwarding 
engine 202 may be implemented as one or more modules used for both mirroring and 
forwarding packets from a router to a primary destination (i.e., a destination to which the 
packet is addressed) and a mirror destination (i.e., the place to which you want the 
mirror packets to be sent)). 

Regan does not teach to use an incrementing identifier to indicating an order of 
the detected packets, to encrypt the detected packets, to encapsulate each of the 
encrypted packets by adding to the encrypted packet a first header which includes said 
identifier and an internet Protocol destination address and by also adding a second 
header which includes a media access control destination address, and an encryption 



Application/Control Number: 10/813,730 Page 12 

Art Unit: 2432 

module configured to be utilized by the remote mirroring engine during encryption of the 
detected packets. 

Regan teaches that the mirrored packet are encapsulated and sent via a 
transport tunnel (see paragraph 0025) but does not go into the way the packets are 
encapsulated. 

Inada teaches to encrypt the detected packets (see column 1 1 lines 43-52 i.e. 
encrypts the whole received plaintext pack), to encapsulate each of the encrypted 
packets by adding to the encrypted packet a first header which includes said identifier 
and an internet Protocol destination address (see column 1 1 lines 43-52 i.e. set new IP 
header) and by also adding a second header which includes a media access control 
destination address address (see column 11 lines 43-52 i.e. then, the ciphertext MAC 
address resolution block 28 sets the MAC address of the MAC header based on the IP 
address of the IP header newly set). 

It would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains to have used the 
encapsulation as taught by Inada to encrypt and encapsulate the data packet to further 
increase the security of the data packet by not allowing other devices to intercept the IP 
packet and read its data portion (see Inada column 13 lines 39-57). Therefore one 
would have been motivated to have used the encapsulation as taught by Inada. 

Amara teaches incrementing an identifier for indicating a position of the data 
packet within an order of packets received by an exit device (see Figure 4 element 210 
sequence number and column 8 lines 5-24). It would have been obvious at the time the 
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invention was made to a person having ordinary skill in the art to which said subject 
matter pertains to have a sequence number is used to keep track of each data packet. 
Therefore one would have been motivated to have a sequence number for each 
packet. 

With respect to claim 21 , A method for secure remote mirroring of network traffic, 
the method comprising: 

remotely configuring an entry device with an destination address (see Regan 
abstract i.e. data packets, segments, frames, or other forms of encapsulation may be 
mirrored off of a core network (e.g., IP, TCP); 

receiving a data packet to be mirrored by the entry device (see Regan abstract 
i.e. data packets, segments, frames, or other forms of encapsulation may be mirrored 
off of a core network (e.g., IP, TCP); 

forwarding the data packet in unencrypted form towards an original destination 
address indicated in the data packet and forwarding the encapsulated encrypted packet 
to the exit device (see Regan abstract and paragraph 0022 i.e. a forwarding engine 202 
may be implemented as one or more modules used for both mirroring and forwarding 
packets from a router to a primary destination (i.e., a destination to which the packet is 
addressed) and a mirror destination (i.e., the place to which you want the mirror packets 
to be sent)). 

Regan does not teach remotely configuring an exit device at the destination 
address with a decryption key; incrementing an identifier to indicate a position of the 
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data packets within an order of packets mirrored by the entry device; encrypting a copy 
of the data packet using the encryption key to form an encrypted packet; generating and 
adding a header to encapsulate the encrypted data packet, wherein the header includes 
the mirroring destination address. 

Regan teaches that the mirrored packet are encapsulated and sent via a 
transport tunnel (see paragraph 0025) but does not go into the way the packets are 
encapsulated. 

Inada teaches to encrypt the detected packets (see column 1 1 lines 43-52 i.e. 
encrypts the whole received plaintext pack), to encapsulate each of the encrypted 
packets by adding to the encrypted packet a first header which includes said identifier 
and an internet Protocol destination address (see column 1 1 lines 43-52 i.e. set new IP 
header) and by also adding a second header which includes a media access control 
destination address address (see column 11 lines 43-52 i.e. then, the ciphertext MAC 
address resolution block 28 sets the MAC address of the MAC header based on the IP 
address of the IP header newly set). 

It would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains to have used the 
encapsulation as taught by Inada to encrypt and encapsulate the data packet to further 
increase the security of the data packet by not allowing other devices to intercept the IP 
packet and read its data portion (see Inada column 13 lines 39-57). Therefore one 
would have been motivated to have used the encapsulation as taught by Inada. 
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Amara teaches remotely configuring an exit device at the destination address 
with a decryption key (see column 8 line 66 - column 9 line 15 i.e. the source device 
endpoint encrypts the IP packet); incrementing an identifier to indicate a position of the 
data packets within an order of packets mirrored by the entry device (see Figure 4 
element 210 sequence number and column 8 lines 5-24); 

It would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains to have used the 
encapsulation as taught by Amara to encrypt and encapsulate the data packet to further 
increase the security of the data packet. Therefore one would have been motivated to 
have used the encapsulation as taught by Amara. 

With respect to claim 22, wherein the remote configuration is performed by way 
of SNMP (see Amara column 3 line 14 - column 4 line 17 SNMP is included in TCP/IP). 

With respect to claim 23, wherein the remote configuration is performed by way 
of a secure remote protocol (see Amara column 3 line 14 - column 4 line 17). 

Claims 5 and 6 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Regan (U.S. 2004/0213232) in view of Inada et al (U.S. Patent # 6,775,769) in view of 
Kojima et al (5,280,476). Regan and Inada do not teach with respect to claim 5, wherein 
determining the MAC address comprises: determining if a mapping of the IP destination 
address to the MAC destination address is stored in an address resolution protocol 
(ARP) cache; if so, then retrieving the MAC detination address from the ARP cache; 
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and if not, then broadcasting an ARP request with the IP destination address and 
receiving an ARP reply with the MAC destination address. 

Kojima teaches wherein determining the MAC address comprises: determining if 
a mapping of the IP destination address to the MAC destination address is stored in an 
address resolution protocol (ARP) cache (see Kojima column 5 lines 17-35); if so, then 
retrieving the MAC detination address from the ARP cache (see Kojima column 5 lines 
19-20); and if not, then broadcasting an ARP request with the IP destination address 
and receiving an ARP reply with the MAC destination address (see Kojima column 5 
lines 17-35). It would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains to have added a 
MAC address to the data get to help the data get delivered to its destination across the 
LAN (see Kojima column 5 lines 17-35). Therefore one would have been motivated to 
have add a MAC address. 

With respect to claim 6, wherein the IP-encapsulated encrypted packet is 
communicated across multiple intermediate layer 2 domains (see Amara figure 1). 

Claim 12, rejected under 35 U.S.C. 103(a) as being unpatentable over Regan 
(U.S. 2004/0213232) in view of Inada etal (U.S. Patent # 6,775,769) in view of Amara 
et al (U.S. Patent # 6,839,338) in view of Classon et al (U.S. Patent 6,700,867). Regan 
and Amara teaches everything with respect to claim 1 above but does not teach 
truncating the data packet to reduce a size of the data packet prior to encryption. 
Classon teaches truncating the data packet to reduce a size of the data packet prior to 
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encryption (see column 20 lines 20-53). It would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject 
matter pertains to have truncated the data packet to satify memory (buffer) 
requirements (see column 20 lines 20-53). Therefore one would have been motivated to 
have truncated the data packet. 

Claim 13, rejected under 35 U.S.C. 103(a) as being unpatentable over Regan 
(U.S. 2004/0213232) in view of Amara et al (U.S. Patent # 6,839,338) in view of Engwer 
(U.S. Patent 6,947,483). Regan and Amara teaches everything with respect to claim 1 
above but does not teach compressing at least a portion of the data packet to reduce a 
size of the data packet prior to encryption. Engwer teaches compressing at least a 
portion of the data packet to reduce a size of the data packet prior to encryption (see 
column 1 line 52 - column 2 line 6). It would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject 
matter pertains to have compressed the data packet. Data transmission between the 
various access points (APs) and their associated mobile units may involve large 
amounts of data which may take substantial amount of time and processing power to 
transmit over the air median. Such data transmissions are costly if the transmitted data 
is uncompressed. s (see column 1 line 52 - column 2 line 6). Therefore one would have 
been motivated to have compressed the data packet. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Devin Almeida whose telephone number is 571-270- 
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1018. The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 
5:00 P.M. The examiner can also be reached on alternate Fridays from 7:30 A.M. to 
4:00 P.M. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron, can be reached on 571-272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 

/Devin Almeida/ 
Examiner, Art Unit 2132 
2/03/2009 



/Benjamin E Lanier/ 

Primary Examiner, Art Unit 2432 



